[Mimedefang] HTML Mail / Active content filter

Dianne Skoll dianne at skoll.ca
Tue Apr 11 07:59:09 EDT 2023

On Mon, 10 Apr 2023 11:32:46 +0200
Florian Lohoff via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:

> i'd like to drop/replace HTML attachments/mails which contain active
> components like javascript/javascript external refs.

I think you'll find yourself blocking or damaging quite a lot of valid

I think a better approach is to sanitize HTML parts by removing all tags
except for a specific set of allowed tags.  You may also want to remove
tag attributes except for a specific set of allowed attributes.

You could use a Perl module like HTML::Defang or HTML::Restrict or
HTML::Scrubber or HTML::Detoxifier or... well, you have many options. :)
Pick the one you like best.

You probably also want to avoid rebuilding the message unless the
HTML sanitizer actually made changes; there's no point in gratuitously
creating a new message and possibly breaking signatures if nothing was

If you do find HTML mail where the "body" is essentially a
document.write call on a function of a whole bunch of base64-encoded
content, then yeah... that's probably malicious and can be dropped.
Not exactly sure how to detect that, but IMO document.write in an HTML
mail is suspicious enough on its own to block.

Also, of course, plugging https://mailmunge.org/ :)  Can't resist.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/66fd0624/attachment.sig>

More information about the MIMEDefang mailing list